2.38 Million Patients Affected by December 2021 Healthcare Breaches

The holiday season is generally slow for most businesses, but that’s not the case for the hacking industry. Hackers unusually ramp up their efforts during the holidays as more people are shopping online. With this, there is an increase in exploitations through phishing attempts, such as when an email seemingly contains a tracking link that is really a malicious link. This contributed to the thirty-five large-scale December 2021 healthcare breaches reported, which affected 2,388,352 patients.

December 2021 Healthcare Breaches and Hacking Incidents

As was the case with the rest of 2021, hacking incidents were the main cause of December’s breaches. Hacking incidents predominantly targeted healthcare providers, with eighteen hacking incidents reported by providers in December 2021. Healthcare provider hacking incidents affected 2,287,656 patients, which comprised 96.25% of patients affected by hacking in December.

There were also six business associate hacking incidents that affected 73,686 patients (3.10% of patients affected by hacking). Six health plans were also targeted by hacking which affected 15,494 patients (0.65% of patients affected by hacking). 

When reporting hacking incidents to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), they also ask the reporting entity to list the “location” in which the breach occurred. In December, hacking incidents occurred in two locations, network server and email. December saw twenty-one network server hacks and nine email hacking incidents. Network server hacks affected 1,849,724 patients (77.82% of patients affected by hacking), while email hacking incidents affected 527,112 patients (22.18% of patients affected by hacking).

December 2021 Healthcare Breaches and Unauthorized Access or Disclosure of PHI

There were significantly fewer incidents of unauthorized access or disclosure of PHI reported in December than is typical in any given month. Of the three incidents reported, two were reported by healthcare providers, while one was reported by a health plan. The healthcare provider incidents affected 4,920 patients representing 54.49% of patients affected by these types of incidents. The health plan incident affected 4,109 patients representing 45.51% of patients affected by these types of incidents.

As with the hacking incidents reported, there were different “locations” from which unauthorized access or disclosure occurred. The incident reported by the health plan occurred through email access or disclosure. One of the healthcare provider incidents was through their electronic medical record platform, affecting 883 patients (9.78% patients affected by these types of incidents). The remaining incident was classified as “other,” affecting 4,037 (44.71% patients affected by these types of incidents). 

December 2021 Healthcare Breaches, Theft, and Improper Disposal of PHI

There was one incident each of theft and improper disposal, both affecting healthcare providers. The PHI theft occurred when paper medical records were stolen, affecting 1,553 patients (0.07% of patients affected by December healthcare breaches). The improper disposal involved the disposal of an unencrypted electronic portable device, affecting 934 patients (0.04% of patients affected by December healthcare breaches). 

Which Entities Reported Breaches?

The OCR publicly posts large-scale breaches on its online breach portal. Below, you can find a list of entities that reported breaches in December of 2021, organized by type of reporting entity and the nature of the incident.

Healthcare Provider Hacks

• Oregon Anesthesiology Group, P.C.: 750,500 patients affected
• Texas ENT Specialists: 535,489 patients affected
• Monongalia Health System, Inc.: 398,164 patients affected
• BioPlus Specialty Pharmacy Services, LLC: 350,000 patients affected
• Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky: 106,910 patients affected
• Fertility Centers of Illinois, PLLC: 79,943 patients affected
• Oregon Eye Specialists: 42,612 patients affected
• Eduro Healthcare, LLC: 8,059 patients affected
• Weddell Pediatric Dental Specialists, LLC: 5,356 patients affected
• Roy Varughese, M.D.: 2,916 patients affected
• Sacramento County Department of Health Services: 2,096 patients affected
• Hope Group LLC: 1,510 patients affected
• Javery Pain Institute: 1,387 patients affected
• OSR Physical Therapy: 714 patients affected
• Surgery Group SC: 500 patients affected
• Northwest Broward Orthopaedics Associates: 500 patients affected
• Apple Blossom Family Practice: 500 patients affected
• Summit Surgical, LLC: 500 patients affected

Business Associate Hacks

• Bansley and Kiener, LLP: 50,119 patients affected
• Bansley and Kiener, LLP: 15,814 patients affected
• Bansley and Kiener, LLP: 2,711 patients affected
• Bansley and Kiener, LLP: 2,297 patients affected
• Peck & Associates, PC: 1,844 patients affected
• Peck & Associates, PC: 901 patients affected

Health Plan Hacks

• Rhode Island Public Transit Authority: 5,015 patients affected
• Great Plains Manufacturing, Inc: 4,110 patients affected
• Andrew Sauchelli, DMD: 3,416 patients affected
• C.E. Niehoff & Company: 1,509 patients affected
• Mertz Manufacturing Inc Health Insurance Plan: 868 patients affected
• UAW Retiree Medical Benefits Trust: 576 patients affected

Healthcare Provider Unauthorized Access or Disclosure of PHI

• Department of Behavioral Health and Developmental Services: 4,037 patients affected
• Baylor Scott & White Medical Center – Waxahachie: 883 patients affected

Health Plan Unauthorized Access or Disclosure of PHI

• Nippon Life Insurance Company of America: 4,109 patients affected

Healthcare Provider Theft

• Skin Care Specialty Physicians: 1,553 patients affected

Healthcare Provider Improper Disposal

• Alabama Department of Rehabilitation Services: 934 patients affected